How a Computer Sleuth Traced a Digital Trail

By John Markoff

And if, as Federal authorities contend, the 31-year-old computer outlaw
Kevin D. Mitnick is the person behind a recent spree of break-ins to
hundreds of
corporate, university and personal computers on the global Internet, his
biggestmistake was raising the interest and ire of Tsutomu Shimomura.

Mr. Shimomura, who is 30, is a computational physicist with a reputation
as a brilliant cybersleuth in the tightly knit community of programmers and
engineers who defend the country's computer networks. And it was Mr.
Shimomura who raised the alarm in the Internet world after someone used
sophisticated
hacking techniques on Christmas Day to remotely break into the computers he
keeps in his beach cottage near San Diego and steal thousands of his data files.

Almost from the moment Mr. Shimomura discovered the intrusion, he made it
his business to use his own considerable hacking skills to aid the Federal
Bureau of Investigation's inquiry into the crime spree. He set up stealth
monitoring posts, and each night over the last few weeks, used software of his
own devising to track the intruder, who was prowling the Internet. The
activity usually began around midafternoon, Eastern time, broke off in the
early evening,then resumed shortly after midnight and continued through
dawn.

The monitoring by Mr. Shimomura enabled investigators to watch as the
intruder commandeered telephone company switching centers, stole computer
files from Motorola, Apple Computer and other companies, and copied 20,000
credit-cardaccount numbers from a commercial computer network used by some
of the computer world's wealthiest and technically savviest people.

And it was Mr. Shimomura who concluded last Saturday that the intruder
was probably Mr. Mitnick, whose whereabouts had been unknown since
November 1992, and that he was operating from a cellular phone network in
Raleigh, N.C.

On Sunday morning, Mr. Shimomura took a flight from San Jose, Calif., to
Raleigh-Durham International Airport. By 3 A.M. Monday, he had helped local
telephone company technicians and Federal investigators use cellular-frequency
scanners to pinpoint Mr. Mitnick's location: a 12-unit apartment building in
the northwest Raleigh suburb of Duraleigh Hills.

Over the next 48 hours, as the F.B.I. sent in a surveillance team, obtained
warrants and prepared for an arrest, cellular telephone technicians from
Sprint Cellular monitored the electronic activities of the person they
believed to be
Mr. Mitnick.

The story of the investigation, particularly Mr. Shimomura's role, is a
tale of digital detective work in the ethereal world known as cyberspace.

When a Detective Becomes a Victim

On Christmas Day, Tsutomu Shimomura was in San Francisco, preparing to
make the four-hour drive to the Sierra Nevada, where he spends most of each
winter as a volunteer on the cross-country ski patrol near Lake Tahoe.

But the next day, before he could leave for the mountains, he received an
alarming call from his colleagues at the San Diego Supercomputer Center, the
federally financed research center that employs him. Someone had broken
into hishome computer, which was connected to the center's computer
network.

Mr. Shimomura returned to his beach cottage near San Diego, in Del Mar,
Calif., where he found that hundreds of software programs and files had been
taken electronically from his work station. This was no random ransacking; the
information would be useful to anyone interested in breaching the security of
computer networks or cellular phone systems.

Taunting messages for Mr. Shimomura were also left in a computer-altered
voice on the Supercomputer Center's voice-mail system.

Almost immediately, Mr. Shimomura made two decisions. He was going to
trackdown the intruders. And Lake Tahoe would have to wait a while this
year.

The Christmas attack exploited a flaw in the Internet's design by fooling a
target computer into believing that a message was coming from a trusted
source. By masquerading as a familiar computer, an attacker can gain access
to
protected computer resources and seize control of an otherwise
well-defended
system. In this case, the attack had been started from a commandeered computer
at Loyola University of Chicago.

Though the vandal was deft enough to gain control of Mr. Shimomura's
computers, he, she or they had made a clumsy error. One of Mr. Shimomura's
machines routinely mailed a copy of several record-keeping files to a safe
computer elsewhere on the network -- a fact that the intruder did not notice.

That led to an automatic warning to employees of the Supercomputer Center
that an attack was under way. This allowed the center's staff to throw the
burglar off the system, and it later allowed Mr. Shimomura to reconstruct
the attack.

In computer-security circles, Mr. Shimomura is a respected voice. Over
the years, software security tools that he has designed have made him a
valuable
consultant not only to corporations, but also to the F.B.I., the Air Force and
the National Security Agency.

Watching an Attack From a Back Room

The first significant break in the case came on Jan. 28, after Bruce
Koball,a computer programmer in Berkeley, Calif., read a newspaper account
detailing
the attack on Mr. Shimomura's computer.

The day before, Mr. Koball had received a puzzling message from the
managers of a commercial on-line service called the Well, in Sausalito,
Calif. Mr. Koballis an organizer for a public-policy group called
Computers, Freedom and Privacy,and Well officials told him that the group's
directory of network files was
taking up hundreds of millions of bytes of storage space, far more than the
group was authorized to use. That struck him as odd, because the group had
made only minimal use of the Well. But as he checked the group's directory
on the
Well, he quickly realized that someone had broken in and filled it with Mr.
Shimomura's stolen files.

Well officials eventually called in Mr. Shimomura, who recruited a
colleague from the Supercomputer Center, Andrew Gross, and an independent
computer consultant, Julia Menapace. Hidden in a back room at the Well's
headquarters in an office building near the Sausalito waterfront, the three
experts set up a temporary headquarters, attaching three laptop computers
to theWell's internal computer network.

Once Mr. Shimomura had established his monitoring system, the team had an
advantage: it could watch the intruder unnoticed.

Though the identity of the attacker or attackers was unknown, within days a
profile emerged that seemed increasingly to fit a well-known computer outlaw:
Kevin D. Mitnick, who had been convicted in 1989 of stealing software
from the Digital Equipment Corporation.

Among the programs found at the Well and at stashes elsewhere on the
Internetwas the software that controls the operations of cellular
telephones made by
Motorola, NEC, Nokia, Novatel, Oki, Qualcomm and other manufacturers. That
wouldbe consistent with the kind of information of interest to Mr.
Mitnick, who hadfirst made his reputation by hacking into telephone
networks.

And the burglar operated with Mr. Mitnick's trademark derring-do. One
night, as the investigators watched electronically, the intruder broke into
the computer designed to protect Motorola Inc.'s internal network from
outside
attack, stealing the protective software itself.

Mr. Shimomura's team, aided by Mark Seiden, an expert in computer
security,soon discovered that someone had obtained a copy of the
credit-card numbers for 20,000 members of Netcom Communications Inc., a
service based in San Jose that
provides Internet access.

To more easily monitor the invader, the team moved its operation last
Thursday to Netcom's network operation center in San Jose.

High-Tech Tools Force an Endgame

Netcom's center proved to be a much better vantage point. To let its
customers connect their computer modems to its network with only a local
telephone call, Netcom provides thousands of computer dial-in lines in cities
across the country. Hacking into the network, the intruder was connecting a
computer to various dial-in sites to elude detection. Still, every time the
intruder would connect to the Netcom network, Mr. Shimomura was able to
capture the computer keystrokes.

Late last week, F.B.I. surveillance agents in Los Angeles were almost
certainthat the intruder was operating somewhere in Colorado. Yet calls
were also
coming into the system from Minneapolis and Raleigh.

The big break came late last Saturday in San Jose, as Mr. Shimomura
and Mr.Gross, red-eyed from a 36-hour monitoring session, were eating
pizza. Subpoenas issued by Kent Walker, an assistant United States attorney
in San Francisco,
had begun to yield results from telephone company calling records. And now
came data from Mr. Walker that suggested to Mr. Shimomura that calls had
been
placed to Netcom's dial-in site in Raleigh through a cellular telephone modem.

The calls were moving through a local switching office operated by the GTE
Corporation. But GTE's records showed that the calls had looped through a
nearbycellular phone switch operated by Sprint. Because of someone's clever
manipulation of the network software, the GTE switch thought that the call
came from the Sprint switch, and the Sprint switch thought it was from GTE.
Neither
company had a record identifying the cellular phone.

When Mr. Shimomura called the number in Raleigh, he could hear it looping
around endlessly with a "clunk, clunk" sound. He called a Sprint technician in
Raleigh and spent five hours comparing Sprint's records with the Netcom
log-ins.It was nearly dawn in San Jose when they determined that the calls
were being
placed from near the Raleigh-Durham airport.

By 1 A.M. Monday, Mr. Shimomura was riding around Raleigh with a second
Sprint technician. From the passenger seat, Mr. Shimomura held a
cellular-frequency direction-finding antenna and watched a meter display its
readings on a laptop computer screen. Within 30 minutes the two had
narrowed thesite to the Players Court apartment complex in Duraleigh Hills,
three miles
from the airport.

At that point, it was time for law-enforcement officials to take over.
At 10 P.M. Monday, an F.B.I. surveillance team arrived.

In order to obtain a search warrant it was necessary to determine a precise
apartment address. And although Mr. Shimomura had found the apartment
complex,pinning down the apartment was difficult because the cellular
signals were
creating a radio echo from an adjacent building. The F.B.I. team set off with
its own gear.

On Tuesday evening, the agents had an address -- Apartment 202 -- and at
8:30P.M. a Federal judge in Raleigh issued the warrant from his home. At 2
A.M.
today, F.B.I. agents knocked on the door of Apartment 202.

It took Mr. Mitnick more than five minutes to open the door. When he did,
he said he was on the phone with his lawyer. But when an agent took the
receiver, the line went dead.